[Freeipa-devel] [freeipa PR#926][closed] test_caless: remove xfail in wildcard certificate tests
URL: https://github.com/freeipa/freeipa/pull/926 Author: Rezney Title: #926: test_caless: remove xfail in wildcard certificate tests Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/926/head:pr926 git checkout pr926 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#922][closed] logging: make sure logging level is set to proper value
URL: https://github.com/freeipa/freeipa/pull/922 Author: tomaskrizek Title: #922: logging: make sure logging level is set to proper value Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/922/head:pr922 git checkout pr922 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#928][closed] WebUI: fix jslint error
URL: https://github.com/freeipa/freeipa/pull/928 Author: pvomacka Title: #928: WebUI: fix jslint error Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/928/head:pr928 git checkout pr928 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#911][closed] WebUI: fix for negative number in pagination size settings
URL: https://github.com/freeipa/freeipa/pull/911 Author: pvomacka Title: #911: WebUI: fix for negative number in pagination size settings Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/911/head:pr911 git checkout pr911 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#915][opened] [master only] Move tmpfiles.d configuration handling back to spec file
URL: https://github.com/freeipa/freeipa/pull/915 Author: martbab Title: #915: [master only] Move tmpfiles.d configuration handling back to spec file Action: opened PR body: """ Since ipaapi user is now created during RPM install and not in runtime, we may switch back to shipping tmpfiles.d configuration directly in RPMs and not create it in runtime, which is a preferred way to handle drop-in configuration anyway. This also means that the drop-in config will be shipped in /usr/lib instead of /etc according to Fedora packaging guidelines. This partially reverts commit 38c66896de1769077cd5b057133606ec5eeaf62b. https://pagure.io/freeipa/issue/7053 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/915/head:pr915 git checkout pr915 From cd76bf8b30e13b56548c0a1b2153f4f775d0ea5d Mon Sep 17 00:00:00 2001 From: Martin BabinskyDate: Tue, 11 Jul 2017 14:10:28 +0200 Subject: [PATCH] Move tmpfiles.d configuration handling back to spec file Since ipaapi user is now created during RPM install and not in runtime, we may switch back to shipping tmpfiles.d configuration directly in RPMs and not create it in runtime, which is a preferred way to handle drop-in configuration anyway. This also means that the drop-in config will be shipped in /usr/lib instead of /etc according to Fedora packaging guidelines. This partially reverts commit 38c66896de1769077cd5b057133606ec5eeaf62b. https://pagure.io/freeipa/issue/7053 --- configure.ac | 1 + freeipa.spec.in| 3 ++- init/Makefile.am | 2 +- init/tmpfilesd/Makefile.am | 20 init/tmpfilesd/ipa.conf.in | 3 +++ install/share/Makefile.am | 1 - install/share/ipa.conf.tmpfiles| 2 -- ipaplatform/base/paths.py | 1 - ipaplatform/base/tasks.py | 8 ipaplatform/redhat/tasks.py| 21 - ipaserver/install/server/install.py| 10 -- ipaserver/install/server/replicainstall.py | 3 --- ipaserver/install/server/upgrade.py| 4 13 files changed, 27 insertions(+), 52 deletions(-) create mode 100644 init/tmpfilesd/Makefile.am create mode 100644 init/tmpfilesd/ipa.conf.in delete mode 100644 install/share/ipa.conf.tmpfiles diff --git a/configure.ac b/configure.ac index c43759c5bb..f098eb1dac 100644 --- a/configure.ac +++ b/configure.ac @@ -558,6 +558,7 @@ AC_CONFIG_FILES([ daemons/ipa-slapi-plugins/ipa-range-check/Makefile daemons/ipa-slapi-plugins/topology/Makefile init/systemd/Makefile +init/tmpfilesd/Makefile init/Makefile install/Makefile install/certmonger/Makefile diff --git a/freeipa.spec.in b/freeipa.spec.in index 72ce4ccc2c..1073987e98 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -1321,6 +1321,8 @@ fi %config(noreplace) %{_sysconfdir}/sysconfig/ipa-dnskeysyncd %config(noreplace) %{_sysconfdir}/sysconfig/ipa-ods-exporter %config(noreplace) %{_sysconfdir}/ipa/kdcproxy/kdcproxy.conf +# NOTE: systemd specific section +%{_tmpfilesdir}/ipa.conf %attr(644,root,root) %{_unitdir}/ipa-custodia.service %ghost %attr(644,root,root) %{etc_systemd_dir}/httpd.d/ipa.conf # END @@ -1330,7 +1332,6 @@ fi %{_usr}/share/ipa/*.ldif %{_usr}/share/ipa/*.uldif %{_usr}/share/ipa/*.template -%{_usr}/share/ipa/ipa.conf.tmpfiles %dir %{_usr}/share/ipa/advise %dir %{_usr}/share/ipa/advise/legacy %{_usr}/share/ipa/advise/legacy/*.template diff --git a/init/Makefile.am b/init/Makefile.am index bee4243912..8f4d1d0a8f 100644 --- a/init/Makefile.am +++ b/init/Makefile.am @@ -2,7 +2,7 @@ # AUTOMAKE_OPTIONS = 1.7 -SUBDIRS = systemd +SUBDIRS = systemd tmpfilesd dist_sysconfenv_DATA = \ ipa-dnskeysyncd \ diff --git a/init/tmpfilesd/Makefile.am b/init/tmpfilesd/Makefile.am new file mode 100644 index 00..7db2e9e0cd --- /dev/null +++ b/init/tmpfilesd/Makefile.am @@ -0,0 +1,20 @@ +dist_noinst_DATA = \ + ipa.conf.in + +systemdtmpfiles_DATA = \ + ipa.conf + +CLEANFILES = $(systemdtmpfiles_DATA) + +%: %.in Makefile + sed -e 's|@localstatedir[@]|$(localstatedir)|g' '$(srcdir)/$@.in' >$@ + +# create empty directories as needed +# DESTDIR might not be set, in that case default to system root +DESTDIR ?= / +install-data-hook: + for conf in $(systemdtmpfiles_DATA); do \ + systemd-tmpfiles --remove --create --boot \ +--root $(DESTDIR) \ +$(DESTDIR)$(systemdtmpfilesdir)/$${conf} || :; \ + done diff --git a/init/tmpfilesd/ipa.conf.in b/init/tmpfilesd/ipa.conf.in new file mode 100644 index 00..750e808edb --- /dev/null +++ b/init/tmpfilesd/ipa.conf.in @@ -0,0 +1,3 @@ +d @localstatedir@/run/ipa 0711 root root +d @localstatedir@/run/ipa/ccaches 0770 ipaapi ipaapi + diff --git
[Freeipa-devel] [freeipa PR#912][opened] [4-5 only] replica install: drop-in IPA specific config to tmpfiles.d
URL: https://github.com/freeipa/freeipa/pull/912 Author: martbab Title: #912: [4-5 only] replica install: drop-in IPA specific config to tmpfiles.d Action: opened PR body: """ While server installation and upgrade code configures the IPA specific tmpfiles location and creates relevant directories, the replica installer code path is covered incompletely and one step is missing. https://pagure.io/freeipa/issue/7053 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/912/head:pr912 git checkout pr912 From d8933ead6569c71be606683d568664637c19a722 Mon Sep 17 00:00:00 2001 From: Martin BabinskyDate: Tue, 11 Jul 2017 12:41:38 +0200 Subject: [PATCH] replica install: drop-in IPA specific config to tmpfiles.d While server installation and upgrade code configures the IPA specific tmpfiles location and creates relevant directories, the replica installer code path is covered incompletely and one step is missing. https://pagure.io/freeipa/issue/7053 --- ipaserver/install/server/replicainstall.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index 4f28de25bd..814925de15 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -1515,6 +1515,9 @@ def install(installer): # remove the extracted replica file remove_replica_info_dir(installer) +# Make sure the files we crated in /var/run are recreated at startup +tasks.configure_tmpfiles() + # Everything installed properly, activate ipa service. services.knownservices.ipa.enable() ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#623][closed] client install: do not assume /etc/krb5.conf.d exists
URL: https://github.com/freeipa/freeipa/pull/623 Author: HonzaCholasta Title: #623: client install: do not assume /etc/krb5.conf.d exists Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/623/head:pr623 git checkout pr623 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#893][opened] smard card advises fixes + general improvements
URL: https://github.com/freeipa/freeipa/pull/893 Author: martbab Title: #893: smard card advises fixes + general improvements Action: opened PR body: """ Add some missing operations to the client/server smart card advises and fix issues. Also provide more transparent generators of Bash control flow branches and loops. https://pagure.io/freeipa/issue/7036 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/893/head:pr893 git checkout pr893 From d50a6278ab151e0facda48a64006a48507ec6e25 Mon Sep 17 00:00:00 2001 From: Martin BabinskyDate: Wed, 21 Jun 2017 18:28:50 +0200 Subject: [PATCH 01/11] smart-card advise: configure systemwide NSS DB also on master Previously the Smart card signing CA cert was uploaded to systemwide NSS DB only on the client, but it need to be added also to the server. Modify the advise plugins to allow for common configuration steps to occur in both cases. https://pagure.io/freeipa/issue/7036 --- ipaserver/advise/plugins/smart_card_auth.py | 59 + 1 file changed, 35 insertions(+), 24 deletions(-) diff --git a/ipaserver/advise/plugins/smart_card_auth.py b/ipaserver/advise/plugins/smart_card_auth.py index 5859e35093..0ee4808d47 100644 --- a/ipaserver/advise/plugins/smart_card_auth.py +++ b/ipaserver/advise/plugins/smart_card_auth.py @@ -10,8 +10,39 @@ register = Registry() +class common_smart_card_auth_config(Advice): +""" +Common steps required to properly configure both server and client for +smart card auth +""" + +systemwide_nssdb = paths.NSS_DB_DIR +smart_card_ca_cert_variable_name = "SC_CA_CERT" + +def check_and_set_ca_cert_path(self): +ca_path_variable = self.smart_card_ca_cert_variable_name +self.log.command("{}=$1".format(ca_path_variable)) +self.log.exit_on_predicate( +'[ -z "${}" ]'.format(ca_path_variable), +['You need to provide the path to the PEM file containing CA ' + 'signing the Smart Cards'] +) +self.log.exit_on_predicate( +'[ ! -f "${}" ]'.format(ca_path_variable), +['Invalid CA certificate filename: ${}'.format(ca_path_variable), + 'Please check that the path exists and is a valid file'] +) + +def upload_smartcard_ca_certificate_to_systemwide_db(self): +self.log.command( +'certutil -d {} -A -i ${} -n "Smart Card CA" -t CT,C,C'.format( +self.systemwide_nssdb, self.smart_card_ca_cert_variable_name +) +) + + @register() -class config_server_for_smart_card_auth(Advice): +class config_server_for_smart_card_auth(common_smart_card_auth_config): """ Configures smart card authentication via Kerberos (PKINIT) and for WebUI """ @@ -28,6 +59,7 @@ class config_server_for_smart_card_auth(Advice): def get_info(self): self.log.exit_on_nonroot_euid() +self.check_and_set_ca_cert_path() self.check_ccache_not_empty() self.check_hostname_is_in_masters() self.resolve_ipaca_records() @@ -37,6 +69,7 @@ def get_info(self): self.record_httpd_ocsp_status() self.check_and_enable_pkinit() self.enable_ok_to_auth_as_delegate_on_http_principal() +self.upload_smartcard_ca_certificate_to_systemwide_db() def check_ccache_not_empty(self): self.log.comment('Check whether the credential cache is not empty') @@ -162,11 +195,10 @@ def enable_ok_to_auth_as_delegate_on_http_principal(self): @register() -class config_client_for_smart_card_auth(Advice): +class config_client_for_smart_card_auth(common_smart_card_auth_config): """ Configures smart card authentication on FreeIPA client """ -smart_card_ca_cert_variable_name = "SC_CA_CERT" description = ("Instructions for enabling Smart Card authentication on " " a single FreeIPA client. Configures Smart Card daemon, " @@ -190,20 +222,6 @@ def get_info(self): self.run_authconfig_to_configure_smart_card_auth() self.restart_sssd() -def check_and_set_ca_cert_path(self): -ca_path_variable = self.smart_card_ca_cert_variable_name -self.log.command("{}=$1".format(ca_path_variable)) -self.log.exit_on_predicate( -'[ -z "${}" ]'.format(ca_path_variable), -['You need to provide the path to the PEM file containing CA ' - 'signing the Smart Cards'] -) -self.log.exit_on_predicate( -'[ ! -f "${}" ]'.format(ca_path_variable), -['Invalid CA certificate filename: ${}'.format(ca_path_variable), - 'Please check that the path exists and is a valid file'] -) - def check_and_remove_pam_pkcs11(self): self.log.command('rpm -qi pam_pkcs11 > /dev/null') self.log.commands_on_predicate( @@ -247,13 +265,6 @@ def
[Freeipa-devel] [freeipa PR#876][closed] python-netifaces: update to reflect upstream changes
URL: https://github.com/freeipa/freeipa/pull/876 Author: MartinBasti Title: #876: python-netifaces: update to reflect upstream changes Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/876/head:pr876 git checkout pr876 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#873][comment] kra: promote: Get ticket before attempting to get KRA keys with custodia
URL: https://github.com/freeipa/freeipa/pull/873 Title: #873: kra: promote: Get ticket before attempting to get KRA keys with custodia martbab commented: """ master: * 342f72140f9bd8b8db19f469ae4c56cac7492901 kra: promote: Get ticket before calling custodia ipa-4-5: * 15076a1c2b0fb31dce3903e5f50cab9edf68ad07 kra: promote: Get ticket before calling custodia """ See the full comment at https://github.com/freeipa/freeipa/pull/873#issuecomment-308661144 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#701][+pushed] ipa help doesn't always work
URL: https://github.com/freeipa/freeipa/pull/701 Title: #701: ipa help doesn't always work Label: +pushed ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#867][+pushed] trust-mod: allow modifying list of UPNs of a trusted forest
URL: https://github.com/freeipa/freeipa/pull/867 Title: #867: trust-mod: allow modifying list of UPNs of a trusted forest Label: +pushed ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#867][comment] trust-mod: allow modifying list of UPNs of a trusted forest
URL: https://github.com/freeipa/freeipa/pull/867 Title: #867: trust-mod: allow modifying list of UPNs of a trusted forest martbab commented: """ Nevermind I fixed this for @abbra. Let's wait for Travis and then we can push it. """ See the full comment at https://github.com/freeipa/freeipa/pull/867#issuecomment-308434278 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#867][synchronized] trust-mod: allow modifying list of UPNs of a trusted forest
URL: https://github.com/freeipa/freeipa/pull/867 Author: abbra Title: #867: trust-mod: allow modifying list of UPNs of a trusted forest Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/867/head:pr867 git checkout pr867 From 2cd8af5201af9e2e962c4987a3b3641f3b83c982 Mon Sep 17 00:00:00 2001 From: Alexander BokovoyDate: Mon, 12 Jun 2017 11:05:06 +0300 Subject: [PATCH] trust-mod: allow modifying list of UPNs of a trusted forest There are two ways for maintaining user principal names (UPNs) in Active Directory: - associate UPN suffixes with the forest root and then allow for each user account to choose UPN suffix for logon - directly modify userPrincipalName attribute in LDAP Both approaches lead to the same result: AD DC accepts user@UPN-Suffix as a proper principal in AS-REQ and TGS-REQ. The latter (directly modify userPrincipalName) case has a consequence that this UPN suffix is not visible via netr_DsRGetForestTrustInformation DCE RPC call. As result, FreeIPA KDC will not know that a particular UPN suffix does belong to a trusted Active Directory forest. As result, SSSD will not be able to authenticate and validate this user from a trusted Active Directory forest. This is especially true for one-word UPNs which otherwise wouldn't work properly on Kerberos level for both FreeIPA and Active Directory. Administrators are responsible for amending the list of UPNs associated with the forest in this case. With this commit, an option is added to 'ipa trust-mod' that allows specifying arbitrary UPN suffixes to a trusted forest root. As with all '-mod' commands, the change replaces existing UPNs when applied, so administrators are responsible to specify all of them: ipa trust-mod ad.test --upn-suffixes={existing.upn,another_upn,new} Fixes: https://pagure.io/freeipa/issue/7015 --- API.txt| 3 ++- VERSION.m4 | 4 ++-- ipaserver/plugins/trust.py | 3 ++- 3 files changed, 6 insertions(+), 4 deletions(-) diff --git a/API.txt b/API.txt index 44567a22da..aabd9c0d4a 100644 --- a/API.txt +++ b/API.txt @@ -5772,11 +5772,12 @@ output: ListOfEntries('result') output: Output('summary', type=[, ]) output: Output('truncated', type=[]) command: trust_mod/1 -args: 1,9,3 +args: 1,10,3 arg: Str('cn', cli_name='realm') option: Str('addattr*', cli_name='addattr') option: Flag('all', autofill=True, cli_name='all', default=False) option: Str('delattr*', cli_name='delattr') +option: Str('ipantadditionalsuffixes*', autofill=False, cli_name='upn_suffixes') option: Str('ipantsidblacklistincoming*', autofill=False, cli_name='sid_blacklist_incoming') option: Str('ipantsidblacklistoutgoing*', autofill=False, cli_name='sid_blacklist_outgoing') option: Flag('raw', autofill=True, cli_name='raw', default=False) diff --git a/VERSION.m4 b/VERSION.m4 index 706c243739..cc308f1e23 100644 --- a/VERSION.m4 +++ b/VERSION.m4 @@ -73,8 +73,8 @@ define(IPA_DATA_VERSION, 2010061412) # # define(IPA_API_VERSION_MAJOR, 2) -define(IPA_API_VERSION_MINOR, 227) -# Last change: Add `pkinit-status` command +define(IPA_API_VERSION_MINOR, 228) +# Last change: Expose ipaNTAdditionalSuffixes in trust-mod diff --git a/ipaserver/plugins/trust.py b/ipaserver/plugins/trust.py index 075b39dcc3..d0bbfbc47c 100644 --- a/ipaserver/plugins/trust.py +++ b/ipaserver/plugins/trust.py @@ -553,8 +553,9 @@ class trust(LDAPObject): flags={'virtual_attribute', 'no_create', 'no_update', 'no_search'}, ), Str('ipantadditionalsuffixes*', +cli_name='upn_suffixes', label=_('UPN suffixes'), -flags={'no_create', 'no_update', 'no_search'}, +flags={'no_create', 'no_search'}, ), ) ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#867][synchronized] trust-mod: allow modifying list of UPNs of a trusted forest
URL: https://github.com/freeipa/freeipa/pull/867 Author: abbra Title: #867: trust-mod: allow modifying list of UPNs of a trusted forest Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/867/head:pr867 git checkout pr867 From eed383573ccad874114194e724c9ba282b2e4529 Mon Sep 17 00:00:00 2001 From: Alexander BokovoyDate: Mon, 12 Jun 2017 11:05:06 +0300 Subject: [PATCH 1/2] trust-mod: allow modifying list of UPNs of a trusted forest There are two ways for maintaining user principal names (UPNs) in Active Directory: - associate UPN suffixes with the forest root and then allow for each user account to choose UPN suffix for logon - directly modify userPrincipalName attribute in LDAP Both approaches lead to the same result: AD DC accepts user@UPN-Suffix as a proper principal in AS-REQ and TGS-REQ. The latter (directly modify userPrincipalName) case has a consequence that this UPN suffix is not visible via netr_DsRGetForestTrustInformation DCE RPC call. As result, FreeIPA KDC will not know that a particular UPN suffix does belong to a trusted Active Directory forest. As result, SSSD will not be able to authenticate and validate this user from a trusted Active Directory forest. This is especially true for one-word UPNs which otherwise wouldn't work properly on Kerberos level for both FreeIPA and Active Directory. Administrators are responsible for amending the list of UPNs associated with the forest in this case. With this commit, an option is added to 'ipa trust-mod' that allows specifying arbitrary UPN suffixes to a trusted forest root. As with all '-mod' commands, the change replaces existing UPNs when applied, so administrators are responsible to specify all of them: ipa trust-mod ad.test --upns={existing.upn,another_upn,new} Fixes: https://pagure.io/freeipa/issue/7015 --- API.txt| 3 ++- VERSION.m4 | 4 ++-- ipaserver/plugins/trust.py | 3 ++- 3 files changed, 6 insertions(+), 4 deletions(-) diff --git a/API.txt b/API.txt index 44567a22da..4930b0d6b2 100644 --- a/API.txt +++ b/API.txt @@ -5772,11 +5772,12 @@ output: ListOfEntries('result') output: Output('summary', type=[, ]) output: Output('truncated', type=[]) command: trust_mod/1 -args: 1,9,3 +args: 1,10,3 arg: Str('cn', cli_name='realm') option: Str('addattr*', cli_name='addattr') option: Flag('all', autofill=True, cli_name='all', default=False) option: Str('delattr*', cli_name='delattr') +option: Str('ipantadditionalsuffixes*', autofill=False, cli_name='upns') option: Str('ipantsidblacklistincoming*', autofill=False, cli_name='sid_blacklist_incoming') option: Str('ipantsidblacklistoutgoing*', autofill=False, cli_name='sid_blacklist_outgoing') option: Flag('raw', autofill=True, cli_name='raw', default=False) diff --git a/VERSION.m4 b/VERSION.m4 index 706c243739..cc308f1e23 100644 --- a/VERSION.m4 +++ b/VERSION.m4 @@ -73,8 +73,8 @@ define(IPA_DATA_VERSION, 2010061412) # # define(IPA_API_VERSION_MAJOR, 2) -define(IPA_API_VERSION_MINOR, 227) -# Last change: Add `pkinit-status` command +define(IPA_API_VERSION_MINOR, 228) +# Last change: Expose ipaNTAdditionalSuffixes in trust-mod diff --git a/ipaserver/plugins/trust.py b/ipaserver/plugins/trust.py index 075b39dcc3..310634904e 100644 --- a/ipaserver/plugins/trust.py +++ b/ipaserver/plugins/trust.py @@ -553,8 +553,9 @@ class trust(LDAPObject): flags={'virtual_attribute', 'no_create', 'no_update', 'no_search'}, ), Str('ipantadditionalsuffixes*', +cli_name='upns', label=_('UPN suffixes'), -flags={'no_create', 'no_update', 'no_search'}, +flags={'no_create', 'no_search'}, ), ) From 78e0a8f1fb352b2db54ec220646505c914c0760d Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Mon, 12 Jun 2017 11:05:06 +0300 Subject: [PATCH 2/2] trust-mod: allow modifying list of UPNs of a trusted forest There are two ways for maintaining user principal names (UPNs) in Active Directory: - associate UPN suffixes with the forest root and then allow for each user account to choose UPN suffix for logon - directly modify userPrincipalName attribute in LDAP Both approaches lead to the same result: AD DC accepts user@UPN-Suffix as a proper principal in AS-REQ and TGS-REQ. The latter (directly modify userPrincipalName) case has a consequence that this UPN suffix is not visible via netr_DsRGetForestTrustInformation DCE RPC call. As result, FreeIPA KDC will not know that a particular UPN suffix does belong to a trusted Active Directory forest. As result, SSSD will not be able to authenticate and validate this user from a trusted Active Directory forest. This is
[Freeipa-devel] [freeipa PR#867][comment] trust-mod: allow modifying list of UPNs of a trusted forest
URL: https://github.com/freeipa/freeipa/pull/867 Title: #867: trust-mod: allow modifying list of UPNs of a trusted forest martbab commented: """ LGTM, the only little nitpick I have is that the CLI option should be named `--upn-suffixes` as `--upns` implies that you can specify full User principal names which you don't. You only specify suffixes. """ See the full comment at https://github.com/freeipa/freeipa/pull/867#issuecomment-308396576 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#854][closed] server-side and client-side advises for configuring smart card auth
URL: https://github.com/freeipa/freeipa/pull/854 Author: martbab Title: #854: server-side and client-side advises for configuring smart card auth Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/854/head:pr854 git checkout pr854 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#854][comment] server-side and client-side advises for configuring smart card auth
URL: https://github.com/freeipa/freeipa/pull/854 Title: #854: server-side and client-side advises for configuring smart card auth martbab commented: """ master: * 0569c02f17f853d97280f52f4a7fefecc72cf45d Extend the advice printing code by some useful abstractions * e418e9a4ca747886c53d05ae80597834f1d3d021 Prepare advise plugin for smart card auth configuration ipa-4-5: * 7ea7ee4326679c098d3e4e4d6a2bc743707708ca Extend the advice printing code by some useful abstractions * 84ca9761bd47f28b72581d1fe6bd8cfa824b6df3 Prepare advise plugin for smart card auth configuration """ See the full comment at https://github.com/freeipa/freeipa/pull/854#issuecomment-308390829 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#854][synchronized] server-side and client-side advises for configuring smart card auth
URL: https://github.com/freeipa/freeipa/pull/854 Author: martbab Title: #854: server-side and client-side advises for configuring smart card auth Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/854/head:pr854 git checkout pr854 From 1deb530a75b1031b59edb48df1e71678e4e6 Mon Sep 17 00:00:00 2001 From: Martin BabinskyDate: Mon, 5 Jun 2017 16:59:25 +0200 Subject: [PATCH 1/2] Extend the advice printing code by some useful abstractions The advise printing code was augmented by methods that simplify generating bash snippets that report errors or failed commands. https://pagure.io/freeipa/issue/6982 --- ipaserver/advise/base.py | 63 ++-- 1 file changed, 61 insertions(+), 2 deletions(-) diff --git a/ipaserver/advise/base.py b/ipaserver/advise/base.py index 40dabd0426..ba412b8724 100644 --- a/ipaserver/advise/base.py +++ b/ipaserver/advise/base.py @@ -94,8 +94,67 @@ def debug(self, line): if self.options.verbose: self.comment('DEBUG: ' + line) -def command(self, line): -self.content.append(line) +def command(self, line, indent_spaces=0): +self.content.append( +'{}{}'.format(self._format_indent(indent_spaces), line)) + +def _format_indent(self, num_spaces): +return ' ' * num_spaces + +def echo_error(self, error_message, indent_spaces=0): +self.command( +self._format_error(error_message), indent_spaces=indent_spaces) + +def _format_error(self, error_message): +return 'echo "{}" >&2'.format(error_message) + +def exit_on_failed_command(self, command_to_run, + error_message_lines, indent_spaces=0): +self.command(command_to_run, indent_spaces=indent_spaces) +self.exit_on_predicate( +'[ "$?" -ne "0" ]', +error_message_lines, +indent_spaces=indent_spaces) + +def exit_on_nonroot_euid(self): +self.exit_on_predicate( +'[ "$(id -u)" -ne "0" ]', +["This script has to be run as root user"] +) + +def exit_on_predicate(self, predicate, error_message_lines, + indent_spaces=0): +commands_to_run = [ +self._format_error(error_message_line) +for error_message_line in error_message_lines] + +commands_to_run.append('exit 1') +self.commands_on_predicate( +predicate, +commands_to_run, +indent_spaces=indent_spaces) + +def commands_on_predicate(self, predicate, commands_to_run_when_true, + commands_to_run_when_false=None, + indent_spaces=0): +if_command = 'if {}'.format(predicate) +self.command(if_command, indent_spaces=indent_spaces) +self.command('then', indent_spaces=indent_spaces) + +indented_block_spaces = indent_spaces + 2 + +for command_to_run_when_true in commands_to_run_when_true: +self.command( +command_to_run_when_true, indent_spaces=indented_block_spaces) + +if commands_to_run_when_false is not None: +self.command("else", indent_spaces=indent_spaces) +for command_to_run_when_false in commands_to_run_when_false: +self.command( +command_to_run_when_false, +indent_spaces=indented_block_spaces) + +self.command('fi', indent_spaces=indent_spaces) class Advice(Plugin): From b4d4fe048ee4c7c03d69283b92010e18c3e88056 Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Fri, 2 Jun 2017 18:36:29 +0200 Subject: [PATCH 2/2] Prepare advise plugin for smart card auth configuration The plugin contains recipes for configuring Smart Card authentication on FreeIPA server and enrolled client. https://www.freeipa.org/page/V4/Smartcard_authentication_ipa-advise_recipes https://pagure.io/freeipa/issue/6982 --- ipaserver/advise/plugins/smart_card_auth.py | 266 1 file changed, 266 insertions(+) create mode 100644 ipaserver/advise/plugins/smart_card_auth.py diff --git a/ipaserver/advise/plugins/smart_card_auth.py b/ipaserver/advise/plugins/smart_card_auth.py new file mode 100644 index 00..5859e35093 --- /dev/null +++ b/ipaserver/advise/plugins/smart_card_auth.py @@ -0,0 +1,266 @@ +# +# Copyright (C) 2017 FreeIPA Contributors see COPYING for license +# + +from ipalib.plugable import Registry +from ipaplatform.paths import paths +from ipaserver.advise.base import Advice +from ipaserver.install.httpinstance import NSS_OCSP_ENABLED + +register = Registry() + + +@register() +class config_server_for_smart_card_auth(Advice): +""" +Configures smart card authentication via Kerberos (PKINIT) and for WebUI +""" + +description = ("Instructions for
[Freeipa-devel] [freeipa PR#854][comment] server-side and client-side advises for configuring smart card auth
URL: https://github.com/freeipa/freeipa/pull/854 Title: #854: server-side and client-side advises for configuring smart card auth martbab commented: """ Also I get the following error when running authconfig: ```console authconfig: Authentication module /lib64/security/pam_pkcs11.so is missing. Authentication process might not work correctly. ``` It is understandable, since I have removed pam_pkcs11 package as per documentation, but it still puzzles me. It may be that I have an old version of authconfig, as I am developing this on F25 where I have authconfig-6.2.10-14.fc25.x86_64. """ See the full comment at https://github.com/freeipa/freeipa/pull/854#issuecomment-307427676 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#849][+pushed] session_storage: Correctly handle string/byte types
URL: https://github.com/freeipa/freeipa/pull/849 Title: #849: session_storage: Correctly handle string/byte types Label: +pushed ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#849][closed] session_storage: Correctly handle string/byte types
URL: https://github.com/freeipa/freeipa/pull/849 Author: stlaz Title: #849: session_storage: Correctly handle string/byte types Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/849/head:pr849 git checkout pr849 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#849][comment] session_storage: Correctly handle string/byte types
URL: https://github.com/freeipa/freeipa/pull/849 Title: #849: session_storage: Correctly handle string/byte types martbab commented: """ master: * d665224a85610cccbe7d291e9ed41d2ce7e5b61c session_storage: Correctly handle string/byte types """ See the full comment at https://github.com/freeipa/freeipa/pull/849#issuecomment-307413021 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#840][comment] Add Role 'Enrollment Administrator'
URL: https://github.com/freeipa/freeipa/pull/840 Title: #840: Add Role 'Enrollment Administrator' martbab commented: """ master: * 468eb3c712140399ed2ec346ff4356bffd590e09 Add Role 'Enrollment Administrator' """ See the full comment at https://github.com/freeipa/freeipa/pull/840#issuecomment-307407213 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#838][closed] Explicitly ask for py2 dependencies in py2 packages
URL: https://github.com/freeipa/freeipa/pull/838 Author: MartinBasti Title: #838: Explicitly ask for py2 dependencies in py2 packages Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/838/head:pr838 git checkout pr838 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#854][comment] server-side and client-side advises for configuring smart card auth
URL: https://github.com/freeipa/freeipa/pull/854 Title: #854: server-side and client-side advises for configuring smart card auth martbab commented: """ @flo ah sorry I missed that. I will incorporate it into advise then. """ See the full comment at https://github.com/freeipa/freeipa/pull/854#issuecomment-307360499 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#854][comment] server-side and client-side advises for configuring smart card auth
URL: https://github.com/freeipa/freeipa/pull/854 Title: #854: server-side and client-side advises for configuring smart card auth martbab commented: """ That section[1] only instructs to configure `pam_cert_auth=true` in the SSSD's `pam` section which is already done on both server and client, see `enable_pam_auth_in_sssd` method. Am I missing something? [1] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7-Beta/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/idm-smart-cards.html """ See the full comment at https://github.com/freeipa/freeipa/pull/854#issuecomment-307358447 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#854][comment] RFC: server-side smart card auth advise plugin
URL: https://github.com/freeipa/freeipa/pull/854 Title: #854: RFC: server-side smart card auth advise plugin martbab commented: """ @flo thanks for your input, I will rework the PR tomorrow. """ See the full comment at https://github.com/freeipa/freeipa/pull/854#issuecomment-306811993 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#852][+pushed] pkinit manage: introduce ipa-pkinit-manage
URL: https://github.com/freeipa/freeipa/pull/852 Title: #852: pkinit manage: introduce ipa-pkinit-manage Label: +pushed ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#847][comment] Turn off OCSP check
URL: https://github.com/freeipa/freeipa/pull/847 Title: #847: Turn off OCSP check martbab commented: """ How did we resolve the issue of tracking nssocsp status in sysupgrade state? Shouldn't we record this so that we now it was disabled by our installer/upgrader? """ See the full comment at https://github.com/freeipa/freeipa/pull/847#issuecomment-305804717 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#832][closed] Add remote_plugins subdirectories to RPM
URL: https://github.com/freeipa/freeipa/pull/832 Author: MartinBasti Title: #832: Add remote_plugins subdirectories to RPM Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/832/head:pr832 git checkout pr832 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#832][comment] Add remote_plugins subdirectories to RPM
URL: https://github.com/freeipa/freeipa/pull/832 Title: #832: Add remote_plugins subdirectories to RPM martbab commented: """ ipa-4-5: * 359e3f261705976229bace2d0a22546670181603 Add remote_plugins subdirectories to RPM master: * 71adc8cd3ff6d6e54f332e94bfda3ed59396de90 Add remote_plugins subdirectories to RPM """ See the full comment at https://github.com/freeipa/freeipa/pull/832#issuecomment-305123104 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#831][+pushed] [4.4] custodia dep: require explictly python2 version
URL: https://github.com/freeipa/freeipa/pull/831 Title: #831: [4.4] custodia dep: require explictly python2 version Label: +pushed ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#830][+pushed] custodia dep: require explictly python2 version
URL: https://github.com/freeipa/freeipa/pull/830 Title: #830: custodia dep: require explictly python2 version Label: +pushed ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#830][comment] custodia dep: require explictly python2 version
URL: https://github.com/freeipa/freeipa/pull/830 Title: #830: custodia dep: require explictly python2 version martbab commented: """ master: * a90a113b66fca620b04635442b135a5136ece7ba custodia dep: require explictly python2 version ipa-4-5: * 444107a00bf995aca62aba74ea02b52e577ab791 custodia dep: require explictly python2 version """ See the full comment at https://github.com/freeipa/freeipa/pull/830#issuecomment-305122168 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#830][closed] custodia dep: require explictly python2 version
URL: https://github.com/freeipa/freeipa/pull/830 Author: MartinBasti Title: #830: custodia dep: require explictly python2 version Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/830/head:pr830 git checkout pr830 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#801][+pushed] httpinstance: wait until the service entry is replicated
URL: https://github.com/freeipa/freeipa/pull/801 Title: #801: httpinstance: wait until the service entry is replicated Label: +pushed ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#801][closed] httpinstance: wait until the service entry is replicated
URL: https://github.com/freeipa/freeipa/pull/801 Author: HonzaCholasta Title: #801: httpinstance: wait until the service entry is replicated Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/801/head:pr801 git checkout pr801 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#801][+ack] httpinstance: wait until the service entry is replicated
URL: https://github.com/freeipa/freeipa/pull/801 Title: #801: httpinstance: wait until the service entry is replicated Label: +ack ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#797][comment] ipa-replica-conncheck: handle ssh not installed
URL: https://github.com/freeipa/freeipa/pull/797 Title: #797: ipa-replica-conncheck: handle ssh not installed martbab commented: """ ipa-4-5: * bacccb70a2e91efa22ee19aec9cca75bac94bd95 ipa-replica-conncheck: handle ssh not installed master: * f960450820c13284b52b4c5f420f0f1191a45619 ipa-replica-conncheck: handle ssh not installed """ See the full comment at https://github.com/freeipa/freeipa/pull/797#issuecomment-304832646 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#797][+pushed] ipa-replica-conncheck: handle ssh not installed
URL: https://github.com/freeipa/freeipa/pull/797 Title: #797: ipa-replica-conncheck: handle ssh not installed Label: +pushed ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#797][closed] ipa-replica-conncheck: handle ssh not installed
URL: https://github.com/freeipa/freeipa/pull/797 Author: flo-renaud Title: #797: ipa-replica-conncheck: handle ssh not installed Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/797/head:pr797 git checkout pr797 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#821][synchronized] fix incorrect suffix handling in topology checks
URL: https://github.com/freeipa/freeipa/pull/821 Author: martbab Title: #821: fix incorrect suffix handling in topology checks Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/821/head:pr821 git checkout pr821 From 25bb509404d8111fd761ec3074e558a725c7dadd Mon Sep 17 00:00:00 2001 From: Martin BabinskyDate: Fri, 26 May 2017 12:23:51 +0200 Subject: [PATCH] fix incorrect suffix handling in topology checks When trying to delete a partially removed master entry lacking 'iparepltopomanagedsuffix' attribute, the code that tries to retrieve tha value for further computations passes None and causes unhandled internal errors. If the attribute is empty or not present, we should return empty list instead as to not break calling cod attribute, the code that tries to retrieve tha value for further computations passes None and causes unhandled internal errors. We should return empty list instead. https://pagure.io/freeipa/issue/6965 --- ipaserver/topology.py | 11 +++ 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/ipaserver/topology.py b/ipaserver/topology.py index 385da29a66..2b6b083547 100644 --- a/ipaserver/topology.py +++ b/ipaserver/topology.py @@ -72,12 +72,15 @@ def get_topology_connection_errors(graph): def map_masters_to_suffixes(masters): masters_to_suffix = {} +managed_suffix_attr = 'iparepltopomanagedsuffix_topologysuffix' for master in masters: -try: -managed_suffixes = master.get( -'iparepltopomanagedsuffix_topologysuffix') -except KeyError: +if managed_suffix_attr not in master: +continue + +managed_suffixes = master[managed_suffix_attr] + +if managed_suffixes is None: continue for suffix_name in managed_suffixes: ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#821][comment] fix incorrect suffix handling in topology checks
URL: https://github.com/freeipa/freeipa/pull/821 Title: #821: fix incorrect suffix handling in topology checks martbab commented: """ @pvoborni it shouldn't but given how our framework sometimes (mis)-behaves the possibility is there. """ See the full comment at https://github.com/freeipa/freeipa/pull/821#issuecomment-304643335 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#817][closed] [py3] Change ConfigParser to RawConfigParser
URL: https://github.com/freeipa/freeipa/pull/817 Author: stlaz Title: #817: [py3] Change ConfigParser to RawConfigParser Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/817/head:pr817 git checkout pr817 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#817][comment] [py3] Change ConfigParser to RawConfigParser
URL: https://github.com/freeipa/freeipa/pull/817 Title: #817: [py3] Change ConfigParser to RawConfigParser martbab commented: """ master: * 35675ca2bbe9c044f115764a2daac45f7468be00 Change ConfigParser to RawConfigParser """ See the full comment at https://github.com/freeipa/freeipa/pull/817#issuecomment-304306864 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#812][comment] [WIP] Refactoring cert-find to use API call directly instead of using
URL: https://github.com/freeipa/freeipa/pull/812 Title: #812: [WIP] Refactoring cert-find to use API call directly instead of using martbab commented: """ Remember taht you have to use 'exact=False' in the filter to perform substring search for krbPrincipalName given the fact that (except for services) the principal is constructed from primary key by appending realm (and prepending `host/` in the case of hosts). This, however, opens a range of possibilities for new bug to creep in (considering 'tuser' is the owner but we have 'tuser1' and 'tuser2' in LDAP, what will your search filter return?). That's why I think this is not correct solution given we currently reference owners by primary keys and not by principals (krbPrincipalName != primary key in most cases except services without krbCanonicalName attribute). I am more inclined to @HonzaCholasta's solution as it seems cleaner to me. An alternative is to report principals as cert owners, which will break API, however. """ See the full comment at https://github.com/freeipa/freeipa/pull/812#issuecomment-304304587 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#816][+pushed] only stop/disable simple service if it is installed
URL: https://github.com/freeipa/freeipa/pull/816 Title: #816: only stop/disable simple service if it is installed Label: +pushed ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#816][comment] only stop/disable simple service if it is installed
URL: https://github.com/freeipa/freeipa/pull/816 Title: #816: only stop/disable simple service if it is installed martbab commented: """ ipa-4-5: * 6114150de20a7d8371c7383f619cd0fefe339cbf only stop/disable simple service if it is installed master: * 8b6f8ed7d47542b9bd8b7453a8a0e202ed1db97d only stop/disable simple service if it is installed """ See the full comment at https://github.com/freeipa/freeipa/pull/816#issuecomment-304293870 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#790][closed] RFC: API for reporting PKINIT status
URL: https://github.com/freeipa/freeipa/pull/790 Author: martbab Title: #790: RFC: API for reporting PKINIT status Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/790/head:pr790 git checkout pr790 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#790][comment] RFC: API for reporting PKINIT status
URL: https://github.com/freeipa/freeipa/pull/790 Title: #790: RFC: API for reporting PKINIT status martbab commented: """ ipa-4-5: * c4aa3a17694b1ad8f9c60c98a95d217c01fc736c Allow for multivalued server attributes * 753f8cf3aff07d22b35005b973e8518665d1fe6f Refactor the role/attribute member reporting code * fbccb748a1c85b7ed67946ba7a11a960b839bcc9 Add an attribute reporting client PKINIT-capable servers * 733cef9d5b0ae8312789371689939902d257 Add the list of PKINIT servers as a virtual attribute to global config * 6b815aae7174693b4952f2c60e7201d99e7b9684 Add `pkinit-status` command * 4fa29a33765cb5d6ce86846f37766e5d3322f25f test_serverroles: Get rid of MockLDAP and use ldap2 instead master: * bddb90f38a3505a2768862d2f814c5e749a7dcde Allow for multivalued server attributes * cac7e49daa04e838650548cc9162b8f117dc55b3 Refactor the role/attribute member reporting code * d8bb23ac389929f28c584602e592b821e4c6ef9a Add an attribute reporting client PKINIT-capable servers * f80553208e8d9f3df422f5be8e1cafa511e1b2c4 Add the list of PKINIT servers as a virtual attribute to global config * 99352731b4b4bdcedfe6668ce71c1d67720ac4af Add `pkinit-status` command * 58fd229a1dbb3f00a591de9417f36197141e26d7 test_serverroles: Get rid of MockLDAP and use ldap2 instead """ See the full comment at https://github.com/freeipa/freeipa/pull/790#issuecomment-304292760 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#790][+pushed] RFC: API for reporting PKINIT status
URL: https://github.com/freeipa/freeipa/pull/790 Title: #790: RFC: API for reporting PKINIT status Label: +pushed ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#821][opened] fix incorrect suffix handling in topology checks
URL: https://github.com/freeipa/freeipa/pull/821 Author: martbab Title: #821: fix incorrect suffix handling in topology checks Action: opened PR body: """ When trying to delete a partially removed master entry lacking 'iparepltopomanagedsuffix' attribute, the code that tries to retrieve tha value for further computations passes None and causes unhandled internal errors. If the attribute is empty or not present, we should return empty list instead as to not break calling cod attribute, the code that tries to retrieve tha value for further computations passes None and causes unhandled internal errors. We should return empty list instead. https://pagure.io/freeipa/issue/6965 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/821/head:pr821 git checkout pr821 From 7543b48870f1046067fd8adf4106bb72c6b688dc Mon Sep 17 00:00:00 2001 From: Martin BabinskyDate: Fri, 26 May 2017 12:23:51 +0200 Subject: [PATCH] fix incorrect suffix handling in topology checks When trying to delete a partially removed master entry lacking 'iparepltopomanagedsuffix' attribute, the code that tries to retrieve tha value for further computations passes None and causes unhandled internal errors. If the attribute is empty or not present, we should return empty list instead as to not break calling cod attribute, the code that tries to retrieve tha value for further computations passes None and causes unhandled internal errors. We should return empty list instead. https://pagure.io/freeipa/issue/6965 --- ipaserver/topology.py | 7 ++- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/ipaserver/topology.py b/ipaserver/topology.py index 385da29a66..7da68552f5 100644 --- a/ipaserver/topology.py +++ b/ipaserver/topology.py @@ -74,11 +74,8 @@ def map_masters_to_suffixes(masters): masters_to_suffix = {} for master in masters: -try: -managed_suffixes = master.get( -'iparepltopomanagedsuffix_topologysuffix') -except KeyError: -continue +managed_suffixes = master.get( +'iparepltopomanagedsuffix_topologysuffix', []) for suffix_name in managed_suffixes: try: ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#820][synchronized] Amend some regressions in backup/restore tests
URL: https://github.com/freeipa/freeipa/pull/820 Author: martbab Title: #820: Amend some regressions in backup/restore tests Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/820/head:pr820 git checkout pr820 From 131208291ececfec78ae8b0bba2fe7330a61b1a3 Mon Sep 17 00:00:00 2001 From: Martin BabinskyDate: Thu, 25 May 2017 14:02:10 +0200 Subject: [PATCH 1/2] test_backup_restore: do not fail on missing KrbLastSuccessfulAuth Since FreeIPA 4.5.1 now sets 'Disable last successful auth' option by default (see https://pagure.io/freeipa/issue/5313), the 'KrbLastSuccessfulAuth' may not always be present on the user entry. The restored entry checker in backup/restore suite should consider this. https://pagure.io/freeipa/issue/6956 --- ipatests/test_integration/test_backup_and_restore.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipatests/test_integration/test_backup_and_restore.py b/ipatests/test_integration/test_backup_and_restore.py index 833baed366..2899434b9d 100644 --- a/ipatests/test_integration/test_backup_and_restore.py +++ b/ipatests/test_integration/test_backup_and_restore.py @@ -58,7 +58,7 @@ def check_admin_in_ldap(host): assert entry.dn == user_dn assert entry['uid'] == ['admin'] -del entry['krbLastSuccessfulAuth'] +entry.pop('krbLastSuccessfulAuth', None) return entry From e9ca893c5b5785c0e00a0373b43b1a5db3cf1237 Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Fri, 26 May 2017 12:39:35 +0200 Subject: [PATCH 2/2] Do not delete DS and PKI users during backup/restore tests Since the creation of DS and PKI users is now handled by RPMs and not at runtime in FreeIPA 4.5.x, we should no longer remove them during backup/restore tests. https://pagure.io/freeipa/issue/6956 --- ipatests/test_integration/test_backup_and_restore.py | 4 1 file changed, 4 deletions(-) diff --git a/ipatests/test_integration/test_backup_and_restore.py b/ipatests/test_integration/test_backup_and_restore.py index 2899434b9d..bb648d71b7 100644 --- a/ipatests/test_integration/test_backup_and_restore.py +++ b/ipatests/test_integration/test_backup_and_restore.py @@ -23,7 +23,6 @@ import re import contextlib -from ipaplatform.constants import constants from ipapython.ipa_log_manager import log_mgr from ipapython.dn import DN from ipatests.test_integration.base import IntegrationTest @@ -165,9 +164,6 @@ def test_full_backup_and_restore_with_removed_users(self): '--uninstall', '-U']) -self.master.run_command(['userdel', constants.DS_USER]) -self.master.run_command(['userdel', constants.PKI_USER]) - homedir = os.path.join(self.master.config.test_dir, 'testuser_homedir') self.master.run_command(['useradd', 'ipatest_user1', ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#802][comment] Improve cert messages some more + do that for KDC certs as well
URL: https://github.com/freeipa/freeipa/pull/802 Title: #802: Improve cert messages some more + do that for KDC certs as well martbab commented: """ I would personally prefer to let the output as is (be it verbose) rather than spending time on trying to devise some fancy-pants output parsing code that would pull in additional bugs and inconsistencies. """ See the full comment at https://github.com/freeipa/freeipa/pull/802#issuecomment-304261563 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#701][comment] ipa help doesn't always work
URL: https://github.com/freeipa/freeipa/pull/701 Title: #701: ipa help doesn't always work martbab commented: """ @neffs please fix pylint error reported in Travis CI: ```console * Module ipaclient.remote_plugins.schema ipaclient/remote_plugins/schema.py:519: [E1101(no-member), Schema.get_help] Instance of 'dict' has no 'decode' member) make: *** [pylint] Error 2 Makefile:1175: recipe for target 'pylint' failed ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/701#issuecomment-304254492 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#819][closed] [ipa-4-5] Change python-cryptography to python2-cryptography
URL: https://github.com/freeipa/freeipa/pull/819 Author: pvomacka Title: #819: [ipa-4-5] Change python-cryptography to python2-cryptography Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/819/head:pr819 git checkout pr819 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#819][+pushed] [ipa-4-5] Change python-cryptography to python2-cryptography
URL: https://github.com/freeipa/freeipa/pull/819 Title: #819: [ipa-4-5] Change python-cryptography to python2-cryptography Label: +pushed ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#819][+ack] [ipa-4-5] Change python-cryptography to python2-cryptography
URL: https://github.com/freeipa/freeipa/pull/819 Title: #819: [ipa-4-5] Change python-cryptography to python2-cryptography Label: +ack ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#790][comment] RFC: API for reporting PKINIT status
URL: https://github.com/freeipa/freeipa/pull/790 Title: #790: RFC: API for reporting PKINIT status martbab commented: """ @HonzaCholasta thanks for looking on API, anyone for functional review? """ See the full comment at https://github.com/freeipa/freeipa/pull/790#issuecomment-304218253 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#796][+pushed] Move selinux booleans to ipaplatform
URL: https://github.com/freeipa/freeipa/pull/796 Title: #796: Move selinux booleans to ipaplatform Label: +pushed ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#796][closed] Move selinux booleans to ipaplatform
URL: https://github.com/freeipa/freeipa/pull/796 Author: MartinBasti Title: #796: Move selinux booleans to ipaplatform Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/796/head:pr796 git checkout pr796 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#796][+ack] Move selinux booleans to ipaplatform
URL: https://github.com/freeipa/freeipa/pull/796 Title: #796: Move selinux booleans to ipaplatform Label: +ack ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#811][+pushed] [4.5] Remove pkinit-anonymous command
URL: https://github.com/freeipa/freeipa/pull/811 Title: #811: [4.5] Remove pkinit-anonymous command Label: +pushed ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#811][+ack] [4.5] Remove pkinit-anonymous command
URL: https://github.com/freeipa/freeipa/pull/811 Title: #811: [4.5] Remove pkinit-anonymous command Label: +ack ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org